Table of Contents Quick peek Sorts out unique User-Agent (devices) Monitor the occurrence of the keywords Monitor HTTP GET | POST traffic by IP addresses DNS Quick peek Monitor activities on device eth0 port 80: -W byline: linefeeds (LF) are printed as linefeeds, more readable. -qt: quiet mode and print human-readable timestamp. # ngrep -d eth0 -W byline -qt port 80 Sorts out unique User-Agent (devices) In corporate environment, desktop/laptop OS build is often standardized.

Table of Contents Dnstop Tcpdump Wireshark / Tshark Dnstop is a console libpcap application that displays various tables of DNS traffic on a network including: Source IP addresses Destination IP addresses Query types Top level domains Second level domains # dnstop enp0s3 -l 3 Use ctrl-r to reset the counter/refresh the history to get the latest queries. Tcpdump Capture packets from port 53 (DNS):

Table of Contents MacOS’s Airport Wireshark MacOS’s Airport is a built-in wireless utility comes preinstalled in MacOS. $ ll /usr/local/bin/airport lrwxr-xr-x 1 root wheel 89 Jun 22 2016 /usr/local/bin/airport@ -> /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport Perform a wireless broadcast scan to get the list of access points in the neighborhood: Sniff 802.11 frames on channel 1, the output is in pcap format and can be opened with tcpdump/wireshark: $ airport en0 sniff 1 Capturing 802.